[Conditional Access] Require MAM except for Authenticator?

I have a conditional access policy applied requiring MAM and MFA for iOS/Android devices.

This poses a problem when a user is setting up Microsoft Authenticator w/ TAP. It returns this upon login:

“It looks like you're trying to open this resource with a client app that is not available for use with app protection policies.”

I can’t see a way to exclude Authenticator on the CA policy.

What is the best way to tackle this?

Thanks.